CANCUN, Mexico – Researchers at NCC Group have discovered multiple backdoors on a UK government contractor’s computer systems designed to steal sensitive government and military data. The hack is tied to China-linked cyber espionage group APT15, which researchers said is utilizing many new tools to carry out its attacks.
According to researchers, the APT15 group was able to deploy three backdoors – identified as RoyalCli, RoyalDNS and BS2005 – on an unnamed UK contractor’s systems. These backdoors helped the threat actor collect data related to the UK government’s military technology. The networks were compromised from May 2016 until late 2017 and infected over 30 contractor controlled hosts, said the NCC Group, which first revealed its report on the attack at Kaspersky Lab’s Security Analyst Summit last week.
APT29 Used Domain Fronting, Tor to Execute Backdoor
Threatpost News Wrap, December 8, 2016
Threatpost News Wrap, November 18, 2016
“During our analysis of the compromise, we identified new backdoors that now appear to be part of APT15’s toolset. The backdoor BS2005 – which has traditionally been used by the group – now appears alongside the additional backdoors RoyalCli and RoyalDNS,” according to the NCC Group report on the attack.
Researchers at FireEye had previously analyzed BS2005 in 2013, which was used by APT15 to target European diplomats and ministries of foreign affairs. NCC Group’s examination of the reused code in each of the backdoor samples allowed researchers to connect the dots, asserting that the backdoors were linked to the same threat actor, APT15 (also known as K3chang, Mirage, Vixen Panda, GREF and Playful Dragon).
It’s unclear what the group’s initial entry point was into the network, however researchers believe that the adversary used a bevy of tools starting with the open-source tool Mimikatz tool that was used to gain domain administrator credentials, “aiding them in later stealing a VPN certificate which they used to access the victim’s network remotely” and ultimately installing the backdoors.
Researchers said the group also used the backdoors in tandem with Windows command prompt cmd.exe to carry out further commands and drop various additional tools on infected systems.
“All of the backdoors identified – excluding RoyalDNS – required APT15 to create batch scripts in order to install its persistence mechanism. This was achieved through the use of a simple Windows run key. We believe that APT15 could have employed this technique in order to evade behavioral detection, rather than due to a lack of sophistication or development capability,” said NCC Group’s report.
Researchers said additional tools were used by the group including archiving tool WinRAR, a Microsoft SharePoint tool known as “spwebmember” and an unidentified network scanning/enumeration tool. “The group also used keyloggers and their own .NET tool to enumerate folders and dump data from Microsoft Exchange mailboxes,” researchers said.
“Spwebmember was written in Microsoft .NET and includes hardcoded values for client project names for data extraction. The tool would connect to the SQL SharePoint database and issue a query to dump all data from the database to a temporary file affixed with ‘spdata,’” according to NCC Group’s report.
“Once inside the victim’s network, the group was able to extract and collect information in multiple ways. The group used a tool called Comma Separated Value Data Exchange (CSVDE), which can export data in bulk from Microsoft Windows Active Directory, as well as Bulk Copy Program (BCP), which comes with Microsoft SQL, to export data from Microsoft SQL databases,” according to NCC Group.
Researchers observed over 200 commands executed by the attacker against the compromised hosts leading them to believe the threat actor is highly sophisticated and at the same time had “no problem writing tools which are specific to its victims.”
“Analysis of the commands executed by APT15 reaffirmed the group’s preference to ‘live off the land’. They utilised Windows commands in order to enumerate and conduct reconnaissance activities such as tasklist.exe, ping.exe, netstat.exe, net.exe, systeminfo.exe, ipconfig.exe and bcp.exe,” wrote researchers.
When NCC Group initially discovered APT15, they ejected the group from the victim’s network, However, a few weeks later, APT15 later managed to regain access through the corporate VPN solution using a VPN certificate stolen from a compromised host – and this time, the group was using a newer backdoor – RoyalDNS.
The RoyalDNS backdoor takes commands, runs them, and returns output using domain name system (DNS) – installing itself and communicating on DNS rather than HTTP, unlike the other two backdoors. NCC Group said that both RoyalCLI and BS2005 communicate with the attacker’s command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2 – meaning that C2 data is cached to the desk by the IE process.
APT15 has surfaced over the past years, and has been tied to attacks including the TidePool malware attack used in an ongoing campaign against Indian embassy personnel globally in 2016, and the BS2005 attack targeting European diplomats and ministries of foreign affairs discovered in 2013.
“Knowledge sharing in the security industry is vital in order to improve the security posture and capabilities of the sector and UK as a whole. Discussing these types of insights is therefore necessary to ensure that we’re always able to understand and adapt to an ever-increasing variety of threats,” Ahmed Zaki, senior malware researcher at NCC Group, said in the report.